CVE-2015-9189
Description
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear IPQ4019, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 600, SD 615/16/SD 415, SD 808, and SD 810, processing of TZ application command in tz_app_cmd_handler function could lead to potential content disclosure of secure memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Qualcomm TZ application command handler in multiple Snapdragon SoCs can disclose secure memory contents.
Vulnerability
A vulnerability exists in the tz_app_cmd_handler function of the TrustZone (TZ) application command handler in Qualcomm Snapdragon Mobile and Snapdragon Wear platforms. The affected chipsets include IPQ4019, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 600, SD 615/16/SD 415, SD 808, and SD 810 [1]. The issue is present in Android builds with security patch levels before April 2018 [1]. Processing of a TZ application command within the tz_app_cmd_handler function can lead to potential content disclosure of secure memory [1].
Exploitation
An attacker must be able to send a crafted TZ application command to the vulnerable handler. No authentication is mentioned as a prerequisite, implying the attack vector could be local or via a malicious application that reaches the TZ interface [1]. The attacker would then trigger the vulnerable code path in tz_app_cmd_handler, which does not properly restrict memory access during command processing [1].
Impact
Successful exploitation results in the disclosure of contents from secure memory regions [1]. This compromises the confidentiality of data normally protected by the TrustZone environment, potentially exposing cryptographic keys, credentials, or other sensitive information [1].
Mitigation
The fix is included in Android security patch level 2018-04-05 or later [1]. Users should ensure their devices receive the April 2018 or later Android Security Bulletin update to address this vulnerability [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: before 2018-04-05 security patch level
- Range: before 2018-04-05 security patch level
- Qualcomm, Inc./Snapdragon Mobile, Snapdragon Wearv5Range: IPQ4019, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 600, SD 615/16/SD 415, SD 808, SD 810
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/103671mitrevdb-entryx_refsource_BID
- source.android.com/security/bulletin/2018-04-01mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.